Like this article? We recommend

Many Ways to Misuse Your Current SSH Architecture

In this illustration, our server administrator, Jo, connected a DMZ host to
an intranet-patching server so as to apply patches to the DMZ host. She was able
to get around technical restrictions, but, sadly, architectural separations were
lost as well. Let’s review agent forwarding risks.

Depending on the scripts, the administrator may use this capability to
negotiate the connection from Box D to Box P. With this design, Box D would pass
your login credentials (stored on Box A) to Box P and further automate the
convoluted process. How is that done? In most cases, via a UNIX domain socket
file.

In UNIX, all things are files. To send network traffic, UNIX writes the
traffic to the network device file. In this case, the connection to Box A (and
that private key used for authentication) is a socket file. This file will
shuttle the authentication traffic between Box A and Box P. So what’s the
risk?

Maybe the hacker can’t get a copy of the private key through the socket
file, but something better (from his/her view) can be done. If the hacker has
root on Box D, he or she can point a private copy of the agent forwarding
software to that socket file and thereby point the authentication process to the
administrator’s credentials—the ones kept on the "safe"
intranet. What are the chances that the administrator has configured access to
all the DMZ servers he controls? Altering some environment variables allows the
intruder to attempt to access other DMZ hosts with our administrator’s
private key. This can mean direct access as root or local administrator. And so
this socket file becomes a door to many other systems in the DMZ.

Additionally, by setting the right booby traps, the hacker can alter the
administrator’s patch-loading scripts that act against the company’s
intranet-patching server. If the server administrator is root on that internal
device and the private key identity is recognized as such, how many copies of
’bot software will be installed on your company’s PCs in no
time?

TIP

Clue: This sort of issue is the primary reason to practice containment across
risk zones. It’s not done only to make self-important developers
angry—that’s just a bonus.